[SecurityRatty] tag: url

Opera Software Fixes Two Security Vulnerabilities In Opera 9.60

Thu, 09 Oct 2008 11:05:07 +0000

Opera Software has released Opera version 9.60 to address two vulnerabilities. The first vulnerability is due to improper validation of URLs. Exploitation of this vulnerability may allow an attacker to execute arbitrary code or cause a denial-of-service condition. If a malicious page redirects Opera to a specially crafted address (URL), it can cause Opera to [...]

SmartPhones Just One More Spam Vector

Thu, 09 Oct 2008 07:03:56 +0000

The Apple iPhone has another vulnerability, one that shouldn’t surprise you if you’ve been paying attention.

The news of the latest problems surfaced after Apple allegedly ignored researchers’ reports to them and the researchers decided to go public with the news :

In Mail, users can hover over an embedded hyperlink to see the URL, but these URLS get cut off due to the small screen. Users might see a trusted domain, but when they click it, find that the link actually resolves to an untrusted site.

The second vulnerability is that Mail automatically downloads images, leaving users open to malware.

It’s “a pretty dumb design flaw” says the researcher who discovered the problem.

XSF & XSS: Double your pleasure, double your fun

Sun, 21 Sep 2008 17:00:00 +0000

If you've read this blog, or those of my peers, you're likely quite familiar with cross-site scripting, and the problems associated with open redirect vulnerabilities. A vulnerability you may be less familiar with is cross-site framing, which largely couples the best of both above-mentioned vulnerabilities.
What then, if there's a cross-site framing vulnerability coupled with cross-site scripting in the content offered by the frame? All sorts of problems come to mind: phishing, malware, credential theft; all arguably twice removed from the attacker's source, tucked away in the context of two victim sites.
First, I'll discuss the original XSS issue that led to this finding.
Recently, I was investigating a flawed parameter in Openhire, a career posting vendor used by major companies like Crate&Barrel, Eileen Fisher, Enterprise, Benjamin Moore, Scottrade, and Getty Images.
Most of these sites simply link to the Openhire offering that hosts job postings on their behalf which, in turn, has been crafted to look like the referring site.
As an example, here's Scottrade's employment page hosted by Openhire.

http://hostedjobs.openhire.com/epostings/jobs/submit.cfm?version=1&company_id=15624

Standard stuff, looks nicely like the Scottrade site, so everything's cool, right?
Wrong? What if someone hosting a service on your behalf suffers a security gap?
You're only as strong as your weakest link!
Here's the posting for an Application Security Engineer (funny, eh?) at Scottrade as hosted on their behalf by Openhire:

http://hostedjobs.openhire.com/epostings/jobs/submit.cfm?fuseaction=dspjob&id=23&jobid=130527&company_id=15624&version=1&source=ONLINE&JobOwner=976367&level=levelid3&levelid3=18247&parent=St.%20Louis%20Corporate%20Headquarters%3B%3B%3BInformation%20Technology%3B%3B%3BSecurity&startflag=3&CFID=66851845&CFTOKEN=29a95-d12594d4-47d9-49e8-9067-1091bdf68e80

Now here the same job posting spewing massive cookie data:

http://hostedjobs.openhire.com/epostings/jobs/submit.cfm?fuseaction=dspjob&id=23&jobid=130527&company_id=15624&version=1&source=ONLINE&JobOwner=%22%3E%3CSCRIPT%3Ealert(document.cookie)%3C/SCRIPT%3E&level=levelid3&levelid3=18247&parent=St.%20Louis%20Corporate%20Headquarters;;;Information%20Technology;;;Security&startflag=3

Screen shot offered below, as the code above will likely be repaired very soon by Openhire. I notified them this past Thursday.

It's bad enough when there's an application security hole in code someone else is hosting on your behalf, but what if your method of displaying said code is also at risk? Enter the Getty Images Jobs page.

http://www.gettyimagesjobs.com/gettyImagesJobsDisplay.html?http://hostedjobs.openhire.com/epostings/jobs/submit.cfm?fuseaction=careeropps&startflag=0&company_id=15531&version=2&CFID=12265212&CFTOKEN=60213778

Watch what happens when you pull the Openhire code. Can you say self-replicating frame loop from hell (in Firefox)? Trust me your browser will crash if you leave this running too long. This will likely be fixed soon, so if the URL doesn't work, the screen shot exemplifies the issue.

http://www.gettyimagesjobs.com/gettyImagesJobsDisplay.html

What if, instead of Openhire's Getty Images page, or nothing at all (which obviously creates its own issue), we drop in an arbitrary URL?
Yep, you guessed it.

http://www.gettyimagesjobs.com/gettyImagesJobsDisplay.html?http://www.xssed.com/news/26/Cross-site_framed/

Now, bringing it all home for double the pleasure, double the fun, what if we coupled the original Openhire cross-site scripting vuln with Getty Images cross-site frame vuln?

It hurts twice as much, in my book.

http://www.gettyimagesjobs.com/gettyImagesJobsDisplay.html?http://hostedjobs.openhire.com/epostings/jobs/submit.cfm?fuseaction=dspjob&id=23&jobid=130527&company_id=15624&version=1&source=ONLINE&JobOwner=%22%3E%3CSCRIPT%3Ealert(document.cookie)%3C/SCRIPT%3E&level=levelid3&levelid3=18247&parent=St.%20Louis%20Corporate%20Headquarters;;;Information%20Technology;;;Security&startflag=3

The lessons learned:
1) Ensure your partners are writing secure code on you behalf.
2) Ensure that the code you utilize to incorporate said partner's code is also well written. ;-)

Double the headache, double the dumb.

del.icio.us | digg

Spam Campaign Abusing Yahoo's Services

Wed, 17 Sep 2008 05:25:24 +0000

Think spammers.Yahoo.com trusts Yahoo.com, consequently, a spam campaign that using bogus Yahoo.com email accounts, and spamming only Yahoo users with links to Yahoo's search engine using queries leading to the exact spammer's URLs, is almost 100% sure to make it through spam filters. That seems to be case with this spam campaign perfectly fitting into the "spam that made it through" category.

Sample search queries resulting in a single result with the spammer's URL :
- yahoo.com/////////////////////////////search/search;_ylt=?p=())))))))))))))callfold(((((((((((((((()))))))))))((((()))))))5000)))))))))))(((((((
- search.yahoo.com/search?p=(((((())))))))((((((((((((((housetear((((())))))(((((((())))))))(((((((((5000((((((())))))))))))))))))))
- yahoo.com/search/search;_ylt=?p=]]]]]]]]]]]][[[[[[galestay[[]]]]]]][[[[[[[[[[[[[[[[[[[[$229[[[[[[[[[[[[[[[[[[[]]]]
- yahoo.com/search/search;_ylt=?p=(((((())))))))))galestay((((((()((((((((((((((((($229)))))))))))(((()
- yahoo.com/////////////////////////////search/search;_ylt=?p=))))))))))))))(((((richorbit((((((((((((((())))))))))))((((((())))))$229)))))))))))(((((((
- yahoo.com/////////////////////////////search/search;_ylt=?p=))))))(((())))))))))richorbit((((((((((((())))))))((((((((((((((((((((((((((((($229))))))((((())

The search queries lead to galestay.com; housetear.com; callfold.com; richorbit.com with several hundred spam domains participating in the campaign parked at 218.61.7.21 and 220.248.185.64.

With CAPTCHA solving and automatic account registration getting easier to outsource next to the easily obtainable segmented email databases of a particular ISP or web based email service provider, launching such a campaign requires less efforts than it used to before. Interestingly, the spammed through Yahoo emails never leave Yahoo Mail since it's only spamming Yahoo users according to the extensive number of emails CC-ed.

What's to come in the long-term? With an entire spamming infrastructure build on the foundation of the hundreds of thousands of bogus accounts at legitimate services, spammers are already starting to embrace the "legitimate sender" mentality and are working on ways to integrate that infrastructure in their spam systems, evidence of which can be seen in several different managed spamming services.

Related posts:
Microsoft’s CAPTCHA successfully broken
Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers
Spam coming from free email providers increasing
Inside India’s CAPTCHA solving economy

Internet Explorer security levels compared

Tue, 16 Sep 2008 20:19:36 +0000

A pretty good question came across the newsgroups the other day. Someone was asking what are the differences between IE's "medium" and "medium-high" security settings. I did some digging, and found only this on MSDN: About URL security zone templates. No wonder it's difficult to find -- the terminology is different, and the table is organized by URL actions, not by the text in the dialog.

Someone on the IE security team forwarded me a document that had additional details. So here, for your enjoyment, is a chart listing the default settings for each security level. To answer the newsgroup poster, "medium" and "medium-high" aren't the same.

About the formatting: to get it to fit within the width of the blog's text section, I've made some abbreviations.

Column headings

Entries

H	High	D	Disable
MH	Medium-high	E	Enable
M	Medium	P	Prompt
ML	Medium-low
L	Low

In a few cases, the table shows a number rather than D or E or P; below the table is a description of each such entry.

At the very bottom of this post I've included the settings from the privacy tab, too.

Note: these settings reflect those for Internet Explorer 7 on Vista SP1. Please see the MDSN link above for differences between IE 6 and IE 7.

.NET Framework

	H	MH	M	ML	L
Loose XAML	D	E	E	E	E
XAML browser applications	D	E	E	E	E
XPS documents	D	E	E	E	E

.NET Framework-reliant components

	H	MH	M	ML	L
Permissions for components with manifests	D	1	1	1	1
Run components not signed with Authenticode	D	E	E	E	E
Run components signed with Authenticode	D	E	E	E	E

1 = High safety

ActiveX controls and plug-ins

	H	MH	M	ML	L
Allow previously unused ActiveX controls to run without prompt	D	D	E	E	E
Allow scriptlets	D	D	D	E	E
Automatic prompting for ActiveX controls	D	D	D	E	E
Binary and script behaviors	D	E	E	E	E
Display video and animation on a Web page that doesn't use an external media player	D	D	D	D	D
Download signed ActiveX controls	D	P	P	P	E
Download unsigned ActiveX controls	D	D	D	D	P
Initialize and script ActiveX controls not marked as safe for scripting	D	D	D	D	P
Run ActiveX controls and plug-ins	D	E	E	E	E
Script ActiveX controls marked as safe for scripting	D	E	E	E	E

Downloads

	H	MH	M	ML	L
Automatic prompting for file downloads	D	E	E	E	E
File download	D	E	E	E	E
Font download	P	E	E	E	E

Enable .NET Framework setup

	H	MH	M	ML	L
Enable .NET Framework setup	D	E	E	E	E

Miscellaneous

	H	MH	M	ML	L
Access data sources across domains	D	D	D	P	E
Allow META REFRESH	D	E	E	E	E
Allow scripting of Internet Explorer Web browser control	D	D	D	E	E
Allow script-initiated windows without size or position constraints	D	D	D	E	E
Allow web pages to use restricted protocols for active content	D	P	P	P	P
Allow web sites to open windows without address or status bars	D	D	D	E	E
Display mixed content	P	P	P	P	P
Don't prompt for client certificate selection when no certificates or only one certificate exists	D	D	D	E	E
Drag and drop or copy and paste files	P	E	E	E	E
Include local directory path when uploading files to a server	D	E	E	E	E
Installation of desktop items	D	P	P	P	E
Launching applications and unsafe files	D	P	P	E	E
Launching programs and files in an IFRAME	D	P	P	P	E
Navigate sub-frames across different domains	D	D	D	E	E
Open files based on content, not file extension	D	E	E	E	E
Software channel permissions	1	2	2	2	3
Submit non-encrypted form data	P	E	E	E	E
Use phishing filter	E	E	E	D	D
Use pop-up blocker	E	E	E	D	D
Userdata persistence	D	E	E	E	E
Web sites in less privileged content zone can navigate into this zone	D	E	E	E	P

     1 = Prohibit downloads from software update channels
     2 = Cache content downloaded from software update channels
     3 = Automatically install software updates

Scripting

	H	MH	M	ML	L
Active scripting	D	E	E	E	E
Allow programmatic clipboard access	D	P	P	P	E
Allow status bar updates via script	D	D	D	E	E
Allow Web sites to prompt for information using scripted windows	D	D	E	E	E
Scripting of Java applets	D	E	E	E	E

User authentication

	H	MH	M	ML	L
Logon	1	2	2	2	3

     1 = Prompt the user for name and password
     2 = Automatic logon only in intranet zone
     3 = Automatic logon with current user name and password

Privacy settings (on the "Privacy" tab)

	H	MH	M	ML	L
Allow persistent cookies	D	E	E	E	E
Allow per-session cookies	D	E	E	E	E
Allow third-party persistent cookies	D	P	P	E	E
Allow third-party session cookies	D	E	E	E	E

Links for 2008-09-10 [del.icio.us]

Wed, 10 Sep 2008 20:00:00 +0000

Paul Melson's Blog: ArcSight User Conference 2008
* Logger 3.0 has adopted a more-ESM-like boolean filter interface. Big improvement over the chained-regex search in 2.5 and earlier. * Demo of Logger 3.0 shows that searches of data (no details on data set) are roughly 80x faster than a similar sized search on 2.5. (The claim is 100x faster, but I counted. Still, that's a significant improvement.) * Hugh has hinted that the slick, high-performance append-only storage stuff that Logger has is going to be integrated into ESM is some release beyond 4.5. That could mean the end of the Oracle / PartitionArchiver storage model.
Splunk Tames the Chaos Brought on by Virtualization : VMblog.com - Virtualization Technology News and Information for Everyone
Existing system management tools were not designed to handle the dynamic nature of virtualization. The Splunk for VMWare Management application includes a VMWare API for data input, over 25 pre-defined searches, alerts, and reports and dashboards specifically designed to monitor key metrics for the VMWare Virtual Infrastructure.
Dorian Software BLOG: Why Your HR Department Will Love Windows Vista, Even If Your IT Department Doesn't.
Event ID 4802 tracks whenever the screensaver is invoked after a group policy-determined idle time. Event ID 4803 tracks whenever the screensaver is dismissed by the logged-on user.
Moderately Idiotic Competitor
But the clever inside criminal is taking all the payroll data from the system that is either off the network or is temporarily down. When the machine comes back up, there is no record of the intrusion and the traditional "inside out" log management system tells the user there is no problem.
Last In - First Out: Presumed Hostile - Your Application is Out to Get You
Help - Eclipse SDK - Working with the Log4J Logging sample
Cartoon 2 from The Data Governance Institute ROI
Eccentric Engineer » Blog Archive » Conf Call Hem and Haw
It’s just a damned centralized-logging platform. Unix sysadmins have been doing those for years. This stuff is about as basic as tying your shoes. All this fluff seems like overkill…but it’s IT…and we have policies.
(ISC)2 Blog: Security metrics: more is not better
Are you Owned? | Roer.Com Information Security Blog
# list of all your profiles online, with your log in. # list of all your IM/e-mail and other communication tools, with log in # list of other sites/tools that requires you to log on. # The lists above should also include each sites URL or contact information for changing passwords, or in worst case shutting them down. # a friends-list who you trust, and who are willing to help you get back your own life online. The purpose is to have them help you rebuild your internet presence. Make sure you agree some way for them to be certain that they are communicating with you, and not someone else.
Industry View: Web Application Security Today - Are We All Insane? - CSO Online - Security and Risk
The problem has gotten so bad that industry sources say most websites hosting malware have been hacked, Google says 1.3 percent of their search queries return malicious content, and Vint Cerf (father of the Internet) approximates that one quarter of all PCs are part of a botnet. Firewalls are not working. Antivirus/spyware is not working, nor are weekly patching, user education, SSL, or "turning off the home computer" as recommended by the FBI cyber-crime website. In what has become an inside joke, every authority says to use these "best-practices" despite their ineffectiveness.
TaoSecurity: Schneier Agrees: Security ROI is "Mostly Bunk"

Summarizing August's Threatscape

Wed, 10 Sep 2008 02:57:32 +0000

Following the previous summaries of June's and July's threatscape based on all the research published during the month, it's time to summarize August's threatscape.

August's threatscape was dominated by a huge increase of rogue security software domains made possible due to the easily obtainable templates for the sites, several malware campaigns targeting popular social networking sites, Russian's organized cyberattack against Georgia with evidence on who's behind it pointing to "everyone" and a few botnets dedicated to the attack making the whole process easy to outsource and turn responsibility into an "open topic", several new web based botnet management kits and tools found in the wild, evidence that the 76service may in fact be going mainstream since the concept of cybercrime as a service is already emerging, and, of course, a peek at India's CAPTCHA solving economy, where the best comment I've received so far is that every site should embrace reCAPTCHA, so that while solving CAPTCHAs and participating in the abuse of these services in question, they would be also digitizing books. As usual, August was a pretty dynamic month for the middle of summer, with everyone excelling in their own malicious field.

01. McAfee's Site Advisor Blocking n.runs AG - "for starters"
False positives are rather common, especially when you're aiming to protect the end user from himself and not let him gain access to "hacking tools", but you're flagging security tools as badware and missing over half the SQL injected domains currently in the wild due to the fact that SiteAdvisor's community still haven't reviewed them - that's not good

02. The Twitter Malware Campaign Wants to Bank With You
Twitter, just like every Web 2.0 application, isn't and shouldn't be treated as a unique platform for dissemination of malware, since it's dissemination of malware "as usual". This particular malware campaign was not just executed by a lone gunman, but also, was taking advantage of a flaw allowing the author to add new followers potentially exposing them to the malicious links serving banker malware. For the the time being, MySpace, Facebook and Twitter accounts are the very last thing a malicious attacker is interesting in puchasing accounting data for, but how come? It's all due to the oversupply of automatically registered accounts at other popular services, whose ecosystem of Internet properties empower cybercriminals with the ability to launch, host and distribute malware in between abusing the very same company's services for the blackhat SEO campaign and redirection services. Theoretically, a distributed network build upon the services provided by a single company is faily easy to accomplish due to the single login authentication applied everywhere. A singly bogus Gmail account results in a blackhat SEO hosting blogspot account, flash based redirector hosted at Picasa, and a couple of thousands of spam emails sent automatically sent through Gmail in order to abuse it's trusted email reputation

03. Compromised Web Servers Serving Fake Flash Players
If aggressiveness matter, this campaign consisting of remotely injected redirection scripts at legitimate sites next to on purposely introduced malware oriented domains, was perhaps the most aggressive one during the month. Fake flash players, fake windows media players and fake youtube players are prone to increase as a social engineering tactic of choice due to the template-ization of malware serving sites for the sake of efficiency

04. Pinch Vulnerable to Remotely Exploitable Flaw
With Zeus vulnerable to a remotely exploitable flaw allowing cybercriminals to hijack other cybercriminal's Zeus botnet, private exploits targeting the still rather popular at least in respect to usefulness Pinch malware are leaking, allowing everyone including security researchers to take a peek at a particular campaign running unpatched Pinch gateway

05. Phishers Backdooring Phishing Pages to Scam One Another
Backdooring phishing pages is perhaps the most minimalistic approach a cybercriminal wanting to scam another cybercriminal is going to take. The far more beneficial approach that I've encountered on a couple of occassions so far, would be to backdoor a proprietary web malware exploitation kit, release it in the wild, let them put the time and efforts into launching the campaigns, then hijack their botnet. In fact, the possibilities for backdooring copycat web malware exploitation kits in order to take advantage of the momentum while introducing a non-existent kit has always been there at the disposal of malicious attackers. One thing's for sure - there's no such thing as a free web malware exploitation kit, just like there isn't such thing as a free phishing page

06. Email Hacking Going Commercial - Part Two
In between the scammers promising the Moon and asking for anything between $20 to $250 to hack into an email account, there are "legitimate" services taking advantage of web email hacking kits consisting of each and every known XSS vulnerability for a particular service in an attempt to increase the chances of the attacker. And given that the majority of these have been patched a long time ago, social engineering comes into play. Do these services have a future? Definitely as more and more people are in fact looking for and requesting such services, in fact, they're willing to pay a bonus considering how exotic it is for them to have any email that they provide hacked into and the accounting data sent back to them

07. The Russia vs Georgia Cyber Attack
Event of the month? Could be, but just like every "event of the moth" everyone seems to be once again restating their "selective retention" preferences. What is selective retention anyway? Selective retention is basically a situation where once Russian is attacking another country's infrastructure, you would automatically conclude that it's Russian FSB behind the attacks and consciously and subconsciously ignore all the research and articles telling you otherwise, namely that the FSB wouldn't even bother acknowledging Georgia's online presence, at least not directly. Moreover, talking about the FSB as the agency behind the cyberattacks indicates "selective retention", talking about FAPSI indicates better understanding of the subject.

In times when cybercrime is getting ever easier to outsource, anyone following the news could basically orchestrate a large scale DDoS attack against a particular country in order to forward the responsibility to any country that they want to. In Russia vs Georgia, you have a combination of a collectivist society that's possessing the capabilities to launch DDoS attacks, knows where and how to order them, and that in times when your country is engaged in a war conflict drinking beer instead of DDoS-sing the major government sites of the adversary is not an option.

Selective retention when combined with a typical mainstream media's mentality to "slice the threat on pieces" instead of turning the page as soon as possible, is perhaps the worst possible combination. Furthermore, coming up with Social Network analysis of the cyberattacks would produce nothing more but a few fancy graphs of over enthusiastic Russian netizen's distributing the static list of the targets. The real conversations, as always, are happening in the "Dark Web" limiting the possibilities for open source intelligence using a data mining software. Things changed, OPSEC is slowly emerging as a concept among malicious parties, whenever some of the "calls for action" in the DDoS attacks were posted at mainstream forums, they were immediately removed so that they don't show up in such academic initiatives

08. 76Service - Cybercrime as a Service Going Mainstream
The reappearance of the 76Service allowing everyone to log into a web based interface and collect all the accounting and financial data coming from malware infected hosts across the globe for the period of time for which they've bought access, indicates that what used to be proprietary services which were supposedly no longer available, are now being operated in a do-it-yourself fashion. Goods and products mature into services, so from a cost-benefit analysis perspective, outsourcing is naturally most beneficial even when it comes to cybercrime

09. Who's Behind the Georgia Cyber Attacks?
If it's the botnets used in the attacks, they are known, if it's about who's providing the hosting for the command and control, it's the "usual suspects", but just like previous discussion of the Russian Business Network, it remains questionable on whether or not they work on a revenue-sharing basis, are simply providing the anti-abuse hosting, or are the shady conspirators that every newly born RBN expert is positioning them to be.

Cheap conversation regarding the RBN ultimately serves the RBN, and just for the record, there's a RBN alternative in every country, but the only thing that remains the same are the customers, tracking the customers means exposing the RBN and the international franchises of their services, making it harder to identify their international operations. And given that the "tip of the iceberg", namely RBN's U.S operations remain in tact, talking about taking actions against their international operations in countries where cybercrime law is still pending, is yet another quality research into the topic building up the pile of research into the very same segments of the very same ISPs.

Just for the record - these "very same ISPs" are regular readers of my blog, and if you analyze their activities, they're definitely reading yours too, ironically, surfing through gateways residing within their netblock that are so heavily blacklisted due to the guestbook and forum spamming activities that their bad reputation usually ends up in another massive blackhat SEO campaign exposed.

10. Guerilla Marketing for a Conspiracy Site
Conspiracy theorists may in fact have a new wallpaper to show off with

11. Banker Malware Targeting Brazilian Banks in the Wild
When misinformed and not knowing anything about a particular underground segment, a potential cybercriminal would stick to using such primitive compared to the sophisticated banker malware kits currently in the wild. These sophisticated banker malware kits are often coming in a customer-tailored proposition, with their price increasing or decreasing based on the specific module to be included or excluded. For instance, a module targeting all the U.S banks that has been put in a "learning mode" long before it was made available to the customers can be requested and is often available with the business model build around the customer's wants

12. Compromised Cpanel Accounts For Sale
Despite the massive SQL injection attacks, accounting data for Cpanel accounts coming from malware infected hosts seems to be once again coming into play, which isn't surprising given the filtering capabilities and log parsing tools today's botnet masters are empowered with. These very same compromised Cpanel accounts and the associated domains often end up so heavility abused that it's tactics like these that are driving the underground multitasking mentality, namely, abusing a single compromised account for each and every malicious online activity you can think of - even hosting banners for their blackhat SEO services

13. A Diverse Portfolio of Fake Security Software - Part Two
In August we saw a peek of fake security software, neatly typosquatted domains whose authors earn revenue each and every time someone installs the software. The vendors behind this software are forwarding the entire process of driving traffic to those excelling in aggregating traffic and abusing it. As anticipated, underground multitasking started taking place within the fake security software domains, with the people behind them introducing client-side exploits in order to improve the monetization of the traffic coming to the sites

14. DIY Botnet Kit Promising Eternal Updates
There's no such thing as a (quality) free botnet kit. What's for free is often the leftovers from a single feature of a more sophisticated proprietary botnet kit. This one in particular is however trying to demonstrate that even a plain simple GUI botnet command and control software can achieve the results desired by an average script kiddie, and not necessarily satisfy the needs of the experienced botnet master

15. A Diverse Portfolio of Fake Security Software - Part Three
As far as trends and fads are concerned, the majority of the domains are currently parked at up to four different IPs, with most of them going into a stand by mode once they get detected and reappear back couple of weeks later

16. Fake Celebrity Video Sites Serving Malware - Part Two
Due to the template-ization of fake celebrity video sites, and simple traffic management tools combined with blackhat SEO tactics, these sites are also prone to increase in the next couple of months

17. Web Based Botnet Command and Control Kit 2.0
It's releases like these that remind us of the amount of time, efforts and personal touch that a malicious attacker would put into such a management kit, currently acting as a personal benchmark as far as complexity and features indicating the coder's experience with botnets is concerned. What's he's failing to anticipate is that this kit is sooner or later going to turn into the "MPack of botnet management"

18. A Diverse Portfolio of Fake Security Software - Part Four
Keep it coming, we'll keep it exposing until we end up getting down to the "fake software vendor" itself

19. Automatic Email Harvesting 2.0
Email harvesting is slowly maturing into a vertically integrated service provided by vendors of managed spamming services. This email harvesting module is aiming to close the page on text obfuscation in respect to fighting spam, and is successfully recognizing and collecting such publicly available emails. From a psychological perspective though, the end users who bothered to obfuscate their emails are less likely to fall victims into phishing scams, with the obfuscation speaking for a relatively decent situational awareness on how they emails end up in a spammer's campaign

20. Fake Porn Sites Serving Malware - Part Three
As a firm believer in sampling in order to draw conclusions on the big picture, an approach that has proven highly accurate in modeling historical and upcoming tactics and behavior, a single fake porn site serving malware campaign usually exposes a dozen of misconfigured redirectors, which thanks to their misconfiguration despite the evasive features available within the kits, expose another dozen of malware campaigns

21. Facebook Malware Campaigns Rotating Tactics
With no particular flaw exploited other than the social engineering tactic of using already compromised Facebook accounts who would automatically spam all their friends with links to flash files hosted at legitimate services, the more persistent the campaign is, the higher the chance that it will scale enough. This campaign in particular is mainly relying on rotation of tactics, namely different messages, different services and file extensions used in order to trick someone's friend into visiting the URL. With the number of users increasing, the most popular social networking sites are naturally going to be permanently under attacks from cybercriminals

22. Fake Security Software Domains Serving Exploits
Despite that it's a single brand, namely the International Virus Research Lab that's introducing client-side exploits within it's portfolio of domains, the opportunity for abuse may be noticed by the rest of the brands pretty fast

23. Exposing India’s CAPTCHA Solving Economy
Taking into consideration the mentality surrounding a particular country's cybercriminals, how they think, how they operate, what do they define as an opportunity, and how much personal efforts are they willing to put into their campaigns, I wouldn't be surpised if a Russian vendor offering 100,000 bogus Gmail accounts for sale has in fact outsourcing the account registration process to Indian workers, paid them pocket change and is then reselling them ten to twenty times higher than the price he originally paid for them.

The text based CAPTCHAs used at the major Internet portals and services, are so efficiently abused by this approach that continuing to use is directly undermining the trust these email providers and services often come with as granted

Zango And The Batman Online Videogame

Wed, 03 Sep 2008 07:00:00 +0000

This is Newsarama, a site (mostly) geared around comics and other related media:

Click to Enlarge

You'll notice Batman, over on the right there. Let's take a closer look:

"Free Online Batman Game"? Well, that's curious because I follow comics pretty closely and I'd be the first to know if an "Online Batman Game" had been in the works (this advert has been doing the rounds on numerous comic-related websites. Visit the URL in the ad - Batmangame.info - and you'll see this...

Click to Enlarge

There it is again - "Online Batman Game". Furthermore, the text goes on to say:

"Batman Online lets you do anything and every little thing you'd like in a Batman game. From leveling up your character to destroying villans, it has it all. Download and play this amazing game now, all for free! I'm sure you'll be playing for hours on end, it's that much fun.

    Level Up Your Character

   Explore a Huge Vast World

   Play Online With Your Friends

   Hundreds of Quests To Finish

   Perfect Battle System

So start your Batman adventure today! Download the full game below and fight them all!"

Note that they specifically call it "Batman Online". It specifically sounds like a text blurb you'd expect to see with a MMORPG. However, something isn't quite right here.

1) The only DC licensed MMORPG anybody knows of is this, and it isn't due out until 2009. It's not Batman-centric, either.

2) The screenshots are lifted from the Batman Begins videogame, which came out in 2005. If you were offering a "Batman Online Game", wouldn't you use screenshots from that instead of an unrelated title?

3) Absolutely no licensing, copyright or legal mumbo-jumbo on the page anywhere. DC and Warner Bros don't roll like that.

4) The website - Batmangame(dot)info - is registered anonymously. Not exactly something you see everyday for websites related to licensed DC franchises such as Batman videogames.

5) "To download and play the Batman Online Game you must download and install Zango as well. It is free, very easy to install and will give you access to the full game."

Shall we continue?

Click to Enlarge

A Zango installer prompt, complete with picture of Batman at the top. If you say "No" to the install, you end up on Google.com. What happens if you click "Start"? Well, you'll get the usual collection of Zango installer screens including one that rather humorously has a guy in a superhero costume.

Once everything is installed, you're taken to another page and from here things just get plain confusing. Remember, up to this point you've been promised an "Online Batman Game", the description of which is clearly intended to evoke images of a MMORPG. However....

Click to Enlarge

All of a sudden, you're being told you're downloading "Batman: Vengeance" on a cheap-looking splash page and shown what looks like an unofficially ripped Batman: Vengeance trailer on Youtube.

In case you're unaware, Batman: Vengeance is a videogame first launched way back in 2001 for consoles (followed shortly after by a PC version). What does this have to do with an "Online Batman Game"? Well, nothing, actually. Aside from the fact you were presented with one thing and are now handed another, things get even stranger when you see the download location:

Click to Enlarge

Have you ever heard of an officially licensed game being offered via Rapidshare downloads? It's possible, I guess, but it seems a little odd. However, the real oddness is reserved for the "Online Batman game" itself.

Remember, we've been promised "Hundreds of quests", "A huge vast world", the ability to "level up your character" and (of course) the "play online with your friends" promise of greatness.

Click to Enlarge

Imagine your dismay, then, when you've installed Zango, downloaded the game from Rapidshare using up around 140MB of bandwidth, installed it and....

Oh dear.

Not only are you given a totally different game than what was advertised, you're given a DEMO VERSION of that game with four short sample levels present, no online functionality and quite a few less quests than the "hundreds" advertised.

Hilariously, you can download a 100% legit copy of this demo here at Fileplanet, sans Adware. Setting aside the issue of whether this file is actually sitting on Rapidshare with either Ubisoft or DC / Warner Bros permission (and if it IS okay to be there, I'm pretty sure it's NOT okay to falsely advertise it as some kind of MMORPG) there are some questions that need to be raised here.

When this guy approached them with his website, did nobody stop to think that this game did not actually match up with the "Online Batman" game it was touted as? Didn't someone at Zango Quality Control actually download the game and see the big "This is a demo" wording as soon as it starts up? Or question why the screenshots on the website don't look like the graphics for Batman: Vengeance in the slightest?

However you look at it, this is a scam, pure and simple. Whoever came up with the idea of an "Online Batman Game" is lying through their teeth. Of course, because their website is registered anonymously we have no idea who the culprit is, unless of course Zango want to deposit them on the steps of Gotham City and let me dispense some Batman-style justice to their posterior.

However, based on the way these things tend to go - God forbid anyone ever offer up the identity of someone happily scamming the public at large, even when that person is dragging the name of the company associated with them through the mud by their antics - I think I might be waiting some time for the Bat Signal...

Mac, Windows clipboards poisoned by URL attacks

Tue, 19 Aug 2008 09:00:00 +0000

In what a security researcher called a cunning attack, infected Web ads are poisoning Mac and Windows users' clipboards with URLs designed to trick people into visiting sites touting bogus security software.

Mac, Windows clipboards poisoned by URL attacks

Mon, 18 Aug 2008 20:00:00 +0000

Infected Web ads are poisoning Mac and Windows users' clipboards with URLs, researchers said Tuesday, in a "very cunning" attack designed to trick people into visiting sites touting bogus security software.